On Sun, Jan 29, 2006 at 02:10:46PM -0500, Trond Myklebust wrote:>On Sun, 2006-01-29 at 11:49 -0700, Dax Kelson wrote:>>>Has anyone tried to look for simpler signing mechanisms that make use of>>>the crypto algorithms that are already in the kernel?>> >> Maybe you meant something else, but history has shown that 'rolling your own' mechanism is a bad idea.>> >> Are there even any suitable algorithms in the kernel??>>I'm suggesting that if the only real problem that dsa in the kernel>solves is module signing, then perhaps one can simplify the problem.>>For instance, if instead of going for a general signing mechanism in the>kernel that will take any old module and verify it, you define a>particular binary as being trusted, and then devise a signature that the>kernel can check (even the SHA-1 of the binary image might be>sufficient).>The object would be to give the kernel a trusted program that can check>module signatures on its behalf.

Today, if a security bug is found in the kernel, you have to compile and install a new kernel.

With your system, the signature of a "trusted" binary is embedded in the kernel. Now, if a bug is found in said binary, you also get to compile and install a new kernel along with a new binary.

Since the application is trusted, a security hole in the binary equals a security hole in the kernel. In addition, you are bound to a given kernel <-> userspace ABI, so if it has to be changed, you get to keep several different trusted binaries around for different kernel versions (/sbin/module-validate-v1 for ABI version 1, /sbin/module-validate-v2 for ABI version 2, etc).

Further, how is the module actually verified? If the trusted binary reads it and checks "something" (i.e. a signature), and then says it's ok, what is to say that the module is not changed on-disk between the time when the binary reads it and when the kernel does so (for instance by direct access to the disk). How do you expect the system to provide security if you are running with nfs-root?

In addition you must protect the user-space binary against a slew of attacks (you did statically link it to protect against LD_PRELOAD, right?).